2018-01-02 16:38:14 +01:00
|
|
|
qsni¹
|
|
|
|
====
|
|
|
|
qsni (quite simple network isolation) allows for simple assignment
|
|
|
|
of per cgroup iptables rules to programs.
|
|
|
|
|
|
|
|
While you can also achieve this (and more) using network namespaces,
|
|
|
|
the setup is not as simple/easy.
|
|
|
|
|
|
|
|
Requirements
|
|
|
|
------------
|
|
|
|
You need an iptables version that supports cgroup matching (e. g.
|
|
|
|
version >= 1.6);
|
|
|
|
|
2018-01-02 17:06:09 +01:00
|
|
|
The following kernel config parameters must be set:
|
2018-01-02 16:38:14 +01:00
|
|
|
CONFIG_NETFILTER_XT_MATCH_CGROUP
|
|
|
|
CONFIG_NET_CLS_CGROUP
|
|
|
|
|
|
|
|
Example
|
2018-01-02 16:44:13 +01:00
|
|
|
-------
|
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
$ qsni blocked ping google.com
|
|
|
|
ping: unknown host google.com
|
2018-01-02 16:44:13 +01:00
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
|
2018-01-02 16:44:13 +01:00
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
$ qsni lan bash
|
|
|
|
$ ping 8.8.8.8
|
|
|
|
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
|
|
|
|
ping: sendmsg: Operation not permitted
|
|
|
|
$ ping 192.168.1.1
|
|
|
|
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
|
|
|
|
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.127 ms
|
|
|
|
$ qsni someprofile bash
|
|
|
|
already assigned to a net class, thus you can't use this binary to change that
|
|
|
|
$
|
2018-01-02 16:44:13 +01:00
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
|
|
|
|
Setup
|
2018-01-02 16:44:13 +01:00
|
|
|
-----
|
2018-01-02 16:38:14 +01:00
|
|
|
If cgroup_root isn't mounted to /sys/fs/cgroup, do it or change the
|
|
|
|
constant in the source to the correct path.
|
|
|
|
|
2018-01-02 16:49:31 +01:00
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
make
|
|
|
|
cp qsni /usr/bin/
|
|
|
|
chmod o=rx /usr/bin/qsni
|
|
|
|
chown root:root /usr/bin/qsni
|
|
|
|
setcap 'cap_setuid=ep cap_setgid=ep' /usr/bin/qsni
|
|
|
|
|
|
|
|
mkdir /etc/qsni.d
|
|
|
|
chmod o=rx /etc/qsni.d
|
|
|
|
cp profiles/blocked /etc/qsni.d/blocked
|
|
|
|
chmod o=r /etc/qsni.d/blocked
|
2018-01-02 16:49:31 +01:00
|
|
|
```
|
2018-01-02 16:38:14 +01:00
|
|
|
|
|
|
|
Every profile must have its own unique CGROUP_ID value in the profile
|
|
|
|
file.
|
|
|
|
|
|
|
|
|
|
|
|
Security discussion
|
|
|
|
--------------------
|
|
|
|
This alone is not a satisfactory way to prevent misbehaving programs
|
|
|
|
to contact destinations you don't want them to. While the restrictions
|
2018-01-02 17:06:09 +01:00
|
|
|
also apply to the children of the launched programs, at a minimum, file
|
2018-01-02 16:38:14 +01:00
|
|
|
system isolation is also necessary and perhaps IPC etc.
|
|
|
|
|
|
|
|
qsni however does not aim to be a complete "jailing/isolation" solution.
|
|
|
|
Nevertheless, I have use cases for it, hence its existence.
|
|
|
|
|
|
|
|
¹ name is preliminary,
|